What are audit rights under data-processing agreements?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your Data Processing Agreement (DPA) should give you the right to verify that your processor is actually meeting its obligations. That's what audit rights are: the mechanism for holding your vendor accountable beyond just their promises.
Under GDPR Article 28, processors are required to make all information necessary to demonstrate compliance available to the controller. In practice, this usually means one of two things:
Direct audit rights: You can inspect the processor's systems, documentation, and processes yourself (or through a third party). This is expensive and disruptive, so most vendors try to limit when and how it can happen. Your DPA should specify notice periods (30-90 days is typical), frequency, and scope.
Third-party audit reports: Many ESPs satisfy audit rights by sharing SOC 2 Type II or ISO 27001 reports, which are independent assessments of their security and data handling controls. This is more practical for most senders. If your vendor offers only this route, make sure you can actually request the report on demand, not just receive it if they choose to share it.
What to look for in your DPA: the right to receive audit reports, the right to request additional information, and the right to conduct direct audits if the report isn't sufficient. A vendor who refuses all direct audit mechanisms in their standard contract is worth questioning.
If you're not sure what your current DPA actually covers, it's worth reading it before your next renewal. Most senders discover gaps only when they need to use them. Check your sub-processor list and confirm audit rights extend to those third parties too.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.